Adventures in Debit Card Fraud

Be sure to check out our article on the recent Equifax breach under the What's New link!

Adventures in Debit Card Fraud

Adventures in Debit Card Fraud

Susan Friedland, Marketing and Communications

Shapiro Financial Security Group, Inc.

May 11, 2017

This past Monday, I sat down to pay our bills. As usual, I pulled up our bank account information online to see what our balance was and which purchases or checks had cleared. As I reviewed the account, I noticed 3 unusual debits that had been made on my husband’s ATM card the previous day. They were each for a substantial amount of money totaling almost $2200! The withdrawals had all been made in places to which we had not been. Knowing that we always talk to each other before making a purchase or withdrawal over $200, I gave Tom a call at the office to alert him to the activity on our account. He called the bank, they cancelled his debit card and told him that he had to report the theft of funds to our local police precinct in Brooklyn, NY. I went along with him to the precinct as I had been the one to note the charges (and to offer moral support).

After talking to the desk sergeant, another officer came over and asked if the charges had been for odd amounts such as $763. We were shocked as that was the exact amount of one of the withdrawals – it turned out that we were not the first people she had talked to over the past two days. She also asked where in the neighborhood Tom had used his ATM card. As we were talking to the detective, another woman came into the precinct having had exactly the same experience!

The detective informed us that there appeared to be a skimmer that had been placed into the vestibule ATM at our local bank branch sometime in the past 3 months, but it had taken the thieves some time to recreate the stolen bank cards and begin to use them. As the case was growing larger by the hour and with the potential size of the thefts, it was turned over to the Financial Crimes Unit of the NYPD/ NY District Attorney that afternoon.

We are lucky. Since we caught the theft so quickly and reported it, we have been told by our bank that they will reimburse us for the funds (however, no clue as to when) and we had enough in a non-linked savings account to assist us in covering our bills for the month. But what if I hadn’t looked at the account that day? What if we had a bank that didn’t reimburse thefts? What if we didn’t have the funds to cover our expenses? Or our savings account was linked to our checking account and they had been able to access those funds?

The experience really shook me. As people who work for a Financial Planner where information security is of the highest priority (I am the Communications Director and write on security issues; Tom is the Information Technology officer who is responsible for cybersecurity for the firm), we are very alert to, and aware of, the various threats we face in an online world. We try to take every precaution against being scammed. Yet here we were, victims of a cybercrime.

Skimming

Skimming is actually a relatively old practice in the cybercrime world. A skimmer is a device that is placed into an ATM or other Point-of-Sale (POS) location to read, record and transmit the information from the magnetic stripe on a bank or credit card. The stolen information is then used for nefarious purposes. It used to be that the thieves needed to physically attach the skimmer to the unit, thereby giving some hint that the unit had been compromised. The thief would also have to return to retrieve the device giving the merchant a chance to catch them.

This is no longer the norm. Among the newest tools are ‘deep-insert’ skimmers that disappear into the payment device card slot, behind the shutter of the motorized card reader and are completely hidden from the consumer. They are often used with tiny cameras or other devices that capture cardholders’ personal identification numbers when they punch them in on the keypad. The newer versions are able to transmit the data wirelessly to the thieves who are then able to make duplicate copies of the debit card.[i]

Due to the fact that these newer devices sit well inside the card reader, they are unlikely to be affected by most active anti-skimming jamming solutions.[ii] In other words, they are practically undetectable even by institutions or businesses with the best technology.

This appears to be what happened to Tom and me. These thieves were more brazen than most as they were able to breach an ATM secured within a bank branch.

Protecting Yourself

A recent study from FICO Card Alert Services shows that skimming has become a huge problem. They report a 70% increase in the number of compromised debit cards in 2016 at ATMs and POS devices used by merchants. In addition, there was a 30% increase in the number of card readers that were hacked in the same time period.[iii] To protect yourself as best you can, Consumer Reports, along with law enforcement sources, suggests the following actions[iv]:

Do not use remote ATMs and POS terminals – ATMs that are in low traffic and/or poorly lit areas are most likely to be vulnerable to tampering. Gas pumps that accept credit cards at stations off of the main highways are also highly vulnerable. The safest ATMs are those in bank vestibules or at bank drive ups. Yet, as this story tells, these may be targeted also.

Look for signs of tampering – Before using an ATM or POS terminal,

Try wiggling the keypad or card slot. If anything seems loose, do not use the device.

Look for unusually colored or raised keypads. A thief could have placed an overlay on the keypad to record the identification number you punch in.

On a gas pump, check to see if the security tape that seals the card reader has been tampered with. A broken seal may indicate tampering.

Protect your PIN number – Always place your hand over the keypad when entering your PIN number in case there is a pinhole camera placed to record it. Always be alert to who is around you when you are using an ATM.

Use a Chip card – Credit and debit cards that use the newer CHIP technology offer better protection that those with only magnetic strips. However, this only applies if you do not have to insert your whole card into the device’s reader. If you insert the entire card, the skimmer will be able to read the data from the magnetic tape.

FICO recommends setting up an alert so you are notified when money is withdrawn.

Also, check your bank’s policy on reimbursement of funds in cases of fraud or breaches, and on any time limits for reporting an incident.

Consider not linking your accounts so, even if one is breached, the others stay off limits.

If you are a victim of skimming, notify your bank immediately and then your local police department. Run a complete credit report and notify the credit bureaus to place a fraud notice on your card.

Place limits on daily withdrawals from the ATM, and limits on the amount that can be used to make a purchase.

Check your credit reports.Often.

Use a credit card where and when you can - The major credit card companies provide fairly widespread protections if fraud occurs.

Use a credit monitoring service – If you have been the victim of a data breach or credit card information hack, ask the affected institution to extend free credit monitoring services to you. Many will provide this for one year from the time of the incident. For ongoing protection, it is a good idea to use a credit monitoring service. Check out this website to compare the different options for ongoing credit monitoring: http://www.nextadvisor.com/credit_report_monitoring/compare.php

As much as an experience like this one makes me want to return to a pre-internet existence, I know it is impossible. Unfortunately, we are all tied into the internet and this makes us vulnerable. It is an uncomfortable place to be, requiring us to put out energy and resources we would really prefer to use for more enjoyable pursuits. But, I guess there isn’t much choice. We just have to protect ourselves as much as possible and then go with the flow.

For further suggestions on how to minimize these vulnerabilities, please read “Minimizing Internet Risk” available on our website, www.ShapiroFSG.com.